Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Public resolvers

Tip
Public Resolvers: Several large organisations have announce DNS Privacy Servers - see DNS Privacy Public Resolvers
  • Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) offer DNS-over-TLS on port 853
  • DOH servers are also currently listed on that page

Experimental DNS Privacy Recursive Servers

Button
TitleLive Monitoring Dashboard
URLhttps://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
Button
TitleLive Traffic Graphs
URLhttps://dnsprivacy.org/wiki/display/DP/Live+Traffic+Levels
Button
Title

...

Map of server locations
URLhttps://dnsprivacy.org/wiki/display/DP/Map+of+test+server+locations

DoH servers

These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note 'also does DoH' check these pages or the website of the service for the DoH endpoint.

DoT servers

The following servers are experimental DNS-over-TLS servers.

Warning
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service or , service level provided.  The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

Stubby

A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).

Servers run by the Stubby developers

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes

Supports

RFC7766 fully

SoftwareNotesgetdnsapi.netUPDATED on 13th April 2017!
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Surfnet145.100.185.15
2001:610:1:40ba:145:100:185:15
853
443
dnsovertls.sinodun.com62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
YTraffic volume onlyHAProxy + BIND 9.12
Surfnet145.100.185.16
2001:610:1:40ba:145:100:185:16
853
443
dnsovertls1.sinodun.comcE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
YTraffic volume onlyNginx + BIND 9.12
getdnsapi.net185.49.141.37
2a04:b900:0:100::37
853getdnsapi.netfoxZRnIh9gZpWnl+
zEiKa0EJ2rdCGroMWm02gaxSc9S=
NoUnbound
zEiKa0EJ2rdCGroMWm02gaxSc9Q=

YTraffic volume onlyUnbound

Other servers with a 'no logging' policy

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
UncensoredDNS89.233.43.71 
2a01:3a0:53:53::0
853unicast.censurfridns.dkwikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=YTraffic volume only
See https://blog.uncensoreddns.org/

Fondation RESTENA
(NREN for Luxemburg)

158.64.1.29
2001:a18:1::29

853kaitain.restena.lu7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
Traffic volume onlyUnboundConfigured with qname-minimisation, use-caps-for-id, aggressive-nsec,

prefetch, harden-below-nxdomain and the newest auth-zone for local root
zone caching.

Surfnet145.100.185.
15
18
2001:610:1:40ba:145:100:185:
15
18853
dnsovertls
dnsovertls3.sinodun.com
62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4Supports TFO
5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

No, but does do concurrent
processing of queries.

YTraffic volume onlyHAProxy + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)
9.12Supports TLS 1.3 and TLS 1.2. Our initial stability problems are solved... see here for details.
Surfnet145.100.185.
16
17
2001:610:1:40ba:145:100:185:
16
17853
dnsovertls1
dnsovertls2.sinodun.com
cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA

Only listening on TLS on port 853

(no UDP or TCP on port 53)
NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
No, but does do concurrent
processing of queriesNginx + BIND
YTraffic volume onlyKnot Resolver
dkg199.58.81.218
2001:470:1c:76d::53
853
443

53053

dns.cmrg.net3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
No, but does do concurrent
processing of queries.

NoneKnot ResolverSee https://dns.cmrg.net/
Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic
. So if port 853 may be blocked then this is a good option.OARC

184.105.193.78

2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

NoUnboundSee OARC websiteYeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

8jkVGv5GP34E70/tDu+j2vnZ1bikayym2QvF4mkX11g=

NoUnboundSee https://dns-resolver.yeti.eu.org/Yeti2a00:e50:f15c:1000::2:53853yeti-rr.datev.netstunnel + UnboundUncensoredDNS

89.233.43.71 

2a01:3a0:53:53::

853

unicast.censurfridns.dk

See https://blog.uncensoreddns.org/Lorraine Data Network

80.67.188.188

853

https://ldn-fai.net/serveur-dns-recursif-ouvert/

Uses a self-signed certificate, no key published
, described here.Has some issues with DNSSEC responses - this is under investigation.
dns.larsdebruin.net (Previously dns1.darkmoon.is)51.15.70.167853UPDATED on 30 Jan 2018
dns.larsdebruin.net
UPDATED on 30 Jan 2018 AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA=
Traffic volume onlyUnbound
securedns.eu146.185.167.43
2a03:b0c0:0:1010::e9a:3001
853dot.securedns.euh3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
NoneHaProxy + BindUPDATE: This service will be decommissioned on 30th April 2020!
dns-tls.bitwiseshift.net81.187.221.24
2001:8b0:24:24::24
853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
NoneUnbound
ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
NoneUnboundSee https://dnsprivacy.at/
ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
NoneUnbound
dns.bitgeek.in (India)139.59.51.46853dns.bitgeek.inFndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=
Traffic volume onlyNginx + BIND
Lorraine Data Network80.67.188.188
2001:913::8
853
443

WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
Traffic volume onlystunnel 4 + BINDSee https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
A self-signed certificate is used, so SPKI pinning is must be used.
dns.neutopia.org89.234.186.112
2a00:5884:8209::2
853
443
dns.neutopia.orgwTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No loggingKnot resolver
BlahDNS108.61.201.119
2001:19f0:7001:1ded:5400:01ff:fe90:945b

853
443

dot-jp.blahdns.com

No logging

https://blahdns.com/

NOTE1: Located in Japan. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name

UPDATED 22nd JAN 2018: note the authentication name has changed

BlahDNS159.69.198.101
2a01:4f8:1c1c:6b4b::1

853
443

dot-de.blahdns.com

No logging

https://blahdns.com/

NOTE1: Located in Frankfurt. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name

Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
No loggingUnbound
Tenta 99.192.182.200, 66.244.159.200853

iana.tenta.io




Traffic volume onlyTentahttps://tenta.com/privacy-policy
Tenta 99.192.182.100, 66.244.159.100853opennic.tenta.io

Traffic volume onlyTenta

NOTE: Uses OpenNIC Root!


dns.233py.comVarious, see notes853 dns.233py.com

No loggingUnbound + DOH C/S

https://dns.233py.com (Chinese language version)

Shanghai (Eastern China): 47.101.136.37/edns.233py.com
Chongqing (Western China): 118.24.208.197/wdns.233py.com
Beijing (North China): 114.115.240.175/ndns.233py.com
Guangzhou (Southern China): 119.29.107.85/sdns.233py.com

NOTE: Blocks ads and trackers. Also support DoH (see website)

Secure DNS Project by PumpleX51.38.83.141
2001:41d0:801:2000::d64
853dns.oszx.coP/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4=
No logging
https://dns.oszx.co
NOTE1: Also does DoH and dnscrypt
NOTE2: Performs ad blocking
Foundation for Applied Privacy37.252.185.232
2a00:63c1:a:229::3

853
443

dot1.appliedprivacy.net
YOnly aggregated logging, no PIIunbound

https://appliedprivacy.net/services/dns/

NOTE: Also does DoH and has an .onion endpoint

ibksturm.synology.me

178.82.102.190

853ibksturm.synology.me

No loggingnginx + unbound

https://github.com/ibksturm/dnscrypt-switzerland

NOTE: Also does DoH and dnscrypt
no filters, opennic root copy

DNS Warden


116.203.70.156
2a01:4f8:1c1c:75b4::1


853dot1.dnswarden.com

No loggingdnsdist

DETAILS UPDATED 18th Mar 2019

Website is a work in progress: dnswarden.com

NOTE1: These servers have ad and tracker blocking with return of NXDOMAIN for bad domains.

NOTE2: Also supports OpenNIC TLDs. Also does DoH.

DNS Warden


116.203.35.255
2a01:4f8:1c1c:5e77::1


853dot2.dnswarden.com

No loggingdnsdist

Servers with minimal logging/limitations

These servers use some logging, self-signed certs or no support for Strict mode.

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46
853dnsotls.lab.nic.cl pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg=YYes, for research purposesUnboundDetails updated 18th Sept - now uses Let's encrypt cert
OARC184.105.193.78
2620:ff:c000:0:1::64:25
853tls-dns-u.odvr.dns-oarc.netpOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
Yes, see OARC websiteUnboundSee OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.
Rubyfish Internet Tech

115.159.154.226
47.99.165.31

853dns.rubyfish.cnDBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo=
Yes, see rubyfish website(only chinese version now)Unbound115.159.154.226/ea-dns.rubyfish.cn use upstream located in Hongkong/Janpan to resolve domains poisoned by the China-GFW,47.99.165.31/uw-dns.rubyfish.cn use upstream located in US-West.